Problem/Motivation

Form-data introduces a new security issue.
Link to the fix - https://github.com/form-data/form-data/security/advisories/GHSA-fjxv-7rq...

Proposed resolution

Currently, Drupal 10.3 uses the 4.0.0 version (yarn.lock file) of the form-data. It should be updated to 4.0.4

Issue fork drupal-3539508

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

Comments

astonvictor created an issue. See original summary.

immaculatexavier made their first commit to this issue’s fork.

immaculatexavier’s picture

Status: Active » Needs review

Updated form-data to 4.0.4 in web/core/yarn.lock to resolve security vulnerability GHSA-fjxv-7rq2-vm57.
PHPUnit tests fails

needs-review-queue-bot’s picture

Status: Needs review » Needs work
StatusFileSize
new91 bytes

The Needs Review Queue Bot tested this issue. It no longer applies to Drupal core. Therefore, this issue status is now "Needs work".

This does not mean that the patch necessarily needs to be re-rolled or the MR rebased. Read the Issue Summary, the issue tags and the latest discussion here to determine what needs to be done.

Consult the Drupal Contributor Guide to find step-by-step guides for working with issues.

cilefen’s picture

Version: 10.3.x-dev » 11.x-dev
cilefen’s picture

Priority: Normal » Major

emixaam made their first commit to this issue’s fork.

emixaam’s picture

Status: Needs work » Needs review

Since the issue was retargeted to 11.x, I created the new MR 13846.

Updated form-data to 4.0.4 in core/yarn.lock.

All tests pass. Changing status to Needs review.

smustgrave’s picture

Status: Needs review » Reviewed & tested by the community

Looks like a good update, nice find!

longwave’s picture

Version: 11.x-dev » 10.6.x-dev
Status: Reviewed & tested by the community » Needs work

Committed and pushed c69a0abdee3 to 11.x and 7b7967df2c9 to 11.3.x and 76076f17ece to 11.2.x. Thanks!

Not sure we should hardcode the resolution in package.json in 10.x, moving to NW to fix that in 10.6.x (and perhaps 10.5.x).

  • longwave committed 76076f17 on 11.2.x
    fix: #3539508 form-data: Usage of unsafe random function
    
    By:...

  • longwave committed 7b7967df on 11.3.x
    fix: #3539508 form-data: Usage of unsafe random function
    
    By:...

  • longwave committed c69a0abd on 11.x
    fix: #3539508 form-data: Usage of unsafe random function
    
    By:...

quietone made their first commit to this issue’s fork.

quietone’s picture

Status: Needs work » Needs review
smustgrave’s picture

Status: Needs review » Needs work

I see in 11.x we went to 4.0.4 but in 10.6 going to 4.0.5, feel we probably should go to the same version right?

thidd’s picture

Status: Needs work » Needs review

I think we need to reopen https://git.drupalcode.org/project/drupal/-/merge_requests/13846 for 11.x @longwave

smustgrave’s picture

Status: Needs review » Needs work

@longwave thoughts

Nothing has changed so don’t think review is correct status

  • longwave committed dd3199e1 on 10.6.x
    fix: #3539508 form-data: Usage of unsafe random function
    
    By:...
longwave’s picture

Status: Needs work » Fixed

As long as we're on a secure version it doesn't matter for this dependency. It's only here because of jsdom, which in turn is only needed for a single Nightwatch test. Let's just ship the 10.6 fix and be done.

Committed and pushed dd3199e196a to 10.6.x. Thanks!

Now that this issue is closed, review the contribution record.

As a contributor, attribute any organization that helped you, or if you volunteered your own time.

Maintainers, credit people who helped resolve this issue.

smustgrave’s picture

Thanks for taking a look!

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.